Skip to content

Allow egress ips on managedseeds #207

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Allow egress ips on managedseeds #207

wants to merge 2 commits into from
+166 −3

Conversation

@modzilla99
Copy link

@modzilla99 modzilla99 commented Nov 17, 2025

What this PR does / why we need it:

With this PR the Controller will automatically allow the egress IPs of the ManagedSeed. This will fix the blackbox exporter check that tries to externally access the shoots API.

Special notes for your reviewer:
The ConfigMap called shoot-info will be present in Seed clusters that are itself shoots. So it will only work on ManagedSeed(-Sets).

@modzilla99
Fix spelling
a2359a5 
Signed-off-by: Justin Lamp <[email protected]>
hown3d
hown3d requested changes Nov 17, 2025
View reviewed changes
Copy link
Member

@hown3d hown3d left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the contribution!
I'd like to propose some changes.

@modzilla99 modzilla99 force-pushed the allow-egress-ips-on-managedseeds branch from 9ec0e20 to 99cacca Compare November 17, 2025 13:24
@modzilla99 modzilla99 requested a review from hown3d November 17, 2025 14:42
@hown3d
Copy link
Member

hown3d commented Nov 18, 2025

I was just thinking about wether we should add a check to only add the seed CIDR if the blackbox exporter is actually deployed.
This is configurable in the gardenlet configuration if monitoring is enabled:
https://github.com/gardener/gardener/blob/master/pkg/gardenlet/apis/config/v1alpha1/helper/helpers.go#L59-L59

@timebertt WDYT?

@modzilla99 modzilla99 force-pushed the allow-egress-ips-on-managedseeds branch from 99cacca to 4fc2342 Compare November 19, 2025 07:22
@modzilla99
Copy link
Author

modzilla99 commented Nov 19, 2025

I was just thinking about wether we should add a check to only add the seed CIDR if the blackbox exporter is actually deployed. This is configurable in the gardenlet configuration if monitoring is enabled: https://github.com/gardener/gardener/blob/master/pkg/gardenlet/apis/config/v1alpha1/helper/helpers.go#L59-L59

@timebertt WDYT?

I would not know how to implement this. How would I get a hold of the gardenlet configuration to check it?

@timebertt
Copy link
Member

timebertt commented Nov 19, 2025

I'm curious:
I suspect that allowing the egress IP of the seed cluster for the blackbox-exporter is not required for all setups. Typically, in-cluster clients of a LoadBalancer service directly talk to the clusterIP (due to an optimization by kube-proxy). I.e., the ACL should already allow the blackbox-exporter to access API servers on the same seed in most cases.

Can you outline your setup in detail?

  • What kube-proxy mode are you using?
  • How is the istio-ingressgateway service configured (traffic policy, and load balancer IP mode)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dergeberl dergeberl Awaiting requested review from dergeberl dergeberl is a code owner

@timebertt timebertt Awaiting requested review from timebertt timebertt is a code owner

@robinschneider robinschneider Awaiting requested review from robinschneider robinschneider is a code owner

@maboehm maboehm Awaiting requested review from maboehm maboehm is a code owner

@hown3d hown3d Awaiting requested review from hown3d hown3d is a code owner

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@modzilla99 @hown3d @timebertt